OAuth authorization_code double-redeem bypass yapabildim — atomic consume + family-revoke (PR #548 PP H1)

Ankara ODTU Teknokent 33-yas bagimsiz SaaS developer + OAuth integration specialist Ezgi 5-yil 3-yil Trendyol API team OAuth 2.0 + OIDC + PKCE + 2-yil solo @ezgi-oauth Turkce OAuth/OIDC research blog. Q1 2026 thMenu Phase 2 OAuth PR #526 HH oncesinde authorization_code grant flow odakli RFC 6749 §4.1.2 + OAuth 2.0 Security BCP §4.10 atomic consume tek redeem repeat-redeem authorization grant family tum tokens revoke gerekli. POST /api/oauth/token authorization_code grant handler non-atomic consume + family-revoke eksik. Lab repro test OAuth client client_id + client_secret + PKCE code_verifier authorize endpoint authorization_code /token POST grant_type=authorization_code + code + code_verifier 200 OK access_token + refresh_token ilk redeem basarili sonra ayni code ile tekrar POST 200 OK farkli access_token + farkli refresh_token ayni code iki defa redeem. MITM attacker authorization_code intercept browser history + referer leak + extension scope abuse legitimate client'tan once /token both sides access_token Pro tier admin operasyon. Family-revoke yok RFC 6749 BCP §4.14 refresh_token rotation shipped PR #526 HH F1 ama authorization_code yok iki refresh_token parallel. Writeup CVSS 8.1 HIGH atomic UPDATE oauth_authorization_codes SET redeemed_at=now WHERE code=? AND redeemed_at IS NULL + meta.changes=0 detection + family-revoke oauth_refresh_tokens WHERE auth_grant_family_id=? sibling PR #526 HH F1 pattern. Engineering 1 saat reproduce 3 yanlis teori (1) PKCE code_verifier double-redeem engelliyor PKCE intercept defense double-redeem prevention degil; (2) code expiry 60sn yeterli race-to-redeem 60sn pencere atomic consume zorunlu; (3) DELETE-then-INSERT yeterince hizli race conditions D1 transaction layer concurrent commit yarisabilir atomic UPDATE inline filter zorunlu CLAUDE.md §17. Dogru fix atomic UPDATE + meta.changes=0 400 invalid_grant + family-revoke cascade. Adli analiz apps/web-admin/src/app/api/oauth/token/route.ts SELECT-then-UPDATE anti-pattern iki paralel /token request ayni code SELECT redeemed_at IS NULL both valid both token issue UPDATE last-writer-wins iki access_token + iki refresh_token. oauth_authorization_codes auth_grant_family_id yok issued refresh_token family bag yok family-revoke imposible BCP §4.10 violation. PR #548 batch PP H1 3-katmanli fix Layer 1 atomic UPDATE inline filter UPDATE oauth_authorization_codes SET redeemed_at=? WHERE code=? AND redeemed_at IS NULL meta.changes=0 zaten redeem potential attack. Layer 2 family-revoke cascade auth_grant_family_id column added code issued random UUID /token tokens issue oauth_refresh_tokens auth_grant_family_id link familyRevoke async SELECT family_id + UPDATE oauth_refresh_tokens SET revoked_at WHERE auth_grant_family_id console.warn [BEACON:oauth_family_revoke]. Layer 3 Sentry beacon + audit log Logpush + SOC 2 + intrusion detection signal. Production audit 90-gun /api/oauth/token grant_type=authorization_code 3200 request 0 double-redeem Phase 2 OAuth narrow beta 12 integration partner hicbir exploit. Post-deploy 30-day 4100 redeem 0 double-redeem legitimate tek redeem family-revoke lab test double-redeem 2nd 400 + 1st tokens revoked + Sentry beacon. Ezgi €2200 Wise CVSS 8.1 + Hall of Fame + advisory board Turkce OAuth blog 2.4k Turk OAuth integration topluluk RFC 6749 BCP §4.10 compliant. Stefan Berlin Friedrichshain 36-yo 8-yr ex-Zalando API team paralel disclosure €2200 LinkedIn 4.6k. Pattern OAuth 2.0 token endpoint authorization_code + refresh_token redemption HER ZAMAN atomic UPDATE inline filter + double-redeem family-revoke cascade RFC 6749 BCP §4.10 + §4.14. Sibling sweep oauth_authorization_codes PP H1 + oauth_refresh_tokens PR #526 HH F1 + oauth_access_tokens 15min short-lived family_id cascade + affiliate_otp_codes PR #646 VI F3 + customer_email_links PR #335 + oauth_pkce_challenges PR #526 HH F1. Implementation single-use token table identify + atomic UPDATE inline filter + meta.changes 400 + family_id column + family-revoke cascade + Sentry beacon + PR template checkbox + RFC BCP compliance audit quarterly. PR #548 referans.

İlgili makaleler